Add support for nftables

[telmich]

/!\ To report a security issue please follow this procedure: [https://github.com/OpenNebula/one/wiki/Vulnerability-Management-Process]

Description

Trying to create a VM on Devuan Beowulf (= Debian 10 packages) fails when ip6tables is called.

To Reproduce Use Debian 10 / Devuan Beowulf, have nft installed, deploy a VM in a network with security groups enabled.

Expected behavior Don't fail to create a VM

Details

• Devuan Beowulf / Debian 10
• opennebula 5.10.1-1
  • Affected Component: VM deployment
  • Hypervisor: KVM
  • Version: 5.10.1

Additional context

Sun May 17 20:05:06 2020 [Z0][VMM][I]: Command execution fail: cat << EOT | /var/tmp/one/vnm/fw/post 'one-25815'
Sun May 17 20:05:06 2020 [Z0][VMM][I]: # Warning: iptables-legacy tables present, use iptables-legacy to see them
Sun May 17 20:05:06 2020 [Z0][VMM][I]: ip6tables v1.8.2 (nf_tables): table `filter' is incompatible, use 'nft' tool.
Sun May 17 20:05:06 2020 [Z0][VMM][I]:
Sun May 17 20:05:06 2020 [Z0][VMM][E]: post: Command Error: sudo ip6tables -S
Sun May 17 20:05:06 2020 [Z0][VMM][E]: post: ["/var/tmp/one/vnm/command.rb:61:in `block in run!'", "/var/tmp/one/vnm/command.rb:58:in `each'", "/var/tmp/one/vnm/command.rb:58:in `run!'", "/var/tmp/one/vnm/security_groups_iptables.rb:259:in `info'", "/var/tmp/one/vnm/security_groups_iptables.rb:513:in `nic_deactivate'", "/var/tmp/one/vnm/sg_driver.rb:130:in `block in deactivate'", "/var/tmp/one/vnm/sg_driver.rb:127:in `each'", "/var/tmp/one/vnm/sg_driver.rb:127:in `deactivate'", "/var/tmp/one/vnm/sg_driver.rb:75:in `activate'", "/var/tmp/one/vnm/fw/post:32:in `<main>'"]
Sun May 17 20:05:06 2020 [Z0][VMM][I]: ExitCode: 1
Sun May 17 20:05:07 2020 [Z0][VMM][I]: ExitCode: 0
Sun May 17 20:05:07 2020 [Z0][VMM][I]: Successfully execute virtualization driver operation: cancel.
Sun May 17 20:05:07 2020 [Z0][VMM][I]: Failed to execute network driver operation: post.
Sun May 17 20:05:07 2020 [Z0][VMM][E]: Error deploying virtual machine: fw: -
Sun May 17 20:05:07 2020 [Z0][VM][I]: New LCM state is BOOT_FAILURE

Progress Status

• [ ] Branch created
• [ ] Code committed to development branch
• [ ] Testing - QA
• [ ] Documentation
• [ ] Release notes - resolved issues, compatibility, known issues
• [ ] Code committed to upstream release/hotfix branches
• [ ] Documentation committed to upstream release/hotfix branches

[telmich]

Just checked if there is a workaround to use iptables, but it seems iptables is gone / even the iptables package provides ip6tables-nft.

[20:51:46] server2.place6:~# dpkg -l | grep nft
ii  libnftables0:amd64                     0.9.0-2                            amd64        Netfilter nftables high level userspace API library
ii  libnftnl11:amd64                       1.1.2-2                            amd64        Netfilter nftables userspace API library
ii  libnftnl4:amd64                        1.0.7-1                            amd64        Netfilter nftables userspace API library
ii  nftables                               0.9.0-2                            amd64        Program to control packet filtering rules by Netfilter project

[21:30:05] server2.place6:~# ls -alh /usr/sbin/ip6tables /etc/alternatives/ip6tables /usr/sbin/ip6tables-nft
lrwxrwxrwx 1 root root 23 May 15 21:29 /etc/alternatives/ip6tables -> /usr/sbin/ip6tables-nft
lrwxrwxrwx 1 root root 27 May 15 21:29 /usr/sbin/ip6tables -> /etc/alternatives/ip6tables
lrwxrwxrwx 1 root root 17 Mar  1  2019 /usr/sbin/ip6tables-nft -> xtables-nft-multi
[21:30:26] server2.place6:~# dpkg -S /usr/sbin/ip6tables-nft
iptables: /usr/sbin/ip6tables-nft
[21:30:32] server2.place6:~# 

[divanikus]

The error clearly states that you are mixing iptables-legacy and iptables-nft tables at once.

[telmich]

@divanikus I am not sure if i understand you. Is iptables-legacy a package that should be available?

[22:39:31] server4.place6:/etc/alternatives# apt search iptables-legacy
Sorting... Done
Full Text Search... Done
[22:39:39] server4.place6:/etc/alternatives# 

[divanikus]

No, they are supplied within iptables package. They simply use different kernel modules to operate, and it is strongly advised not to try to mix them both. Here's a part of your log:

# Warning: iptables-legacy tables present, use iptables-legacy to see them

Seems like something on a compute node has created entries in iptables-legacy, possibly directly. Because if you call plain iptables commands, it would create entries within nft realm.

Opennebula works with iptables-nft just fine though.

[telmich]

@divanikus You are absolutely right, sorry for the noise. Just one question for the future: are there any plans to support nft natively in opennebula?

[divanikus]

Idk, I'm just a user of ONE, like you :)

[rsmontero]

Yes, we've talked about this internally. It is definitely in our radar, although not a top priority as long as the iptables interface is supported for nft-tables.

I've hijacked your issue to include native nft interface for SG implementations